Analysis
-
max time kernel
144s -
max time network
143s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
19-01-2021 12:11
Static task
static1
Behavioral task
behavioral1
Sample
X[1].bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
X[1].bin.exe
Resource
win10v20201028
General
-
Target
X[1].bin.exe
-
Size
901KB
-
MD5
762d680bba4270694d5487e7d4f0a014
-
SHA1
97e37c21b1ec5b0332e8cb09ed0535b7c6516bdf
-
SHA256
c5ec4ced753e67fba6b0b4a720f5bb6611fbbaa6f74e9369193735d42258a0c0
-
SHA512
6628da111ce1a5bc1a4e85fb3c250b9e28bee432643c3c3b238dcca28c45e536e938e4f653293e47240908722e49dcda4aa37fcc6259b4661b0c85537ee9a76a
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
Yamer2@protonmail.com
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1928 wbadmin.exe -
Modifies extensions of user files 1 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
X[1].bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\DebugTest.tiff X[1].bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
X[1].bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\X[1].bin.exe\"" X[1].bin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 3 IoCs
Processes:
X[1].bin.exeX[1].bin.exeX[1].bin.exedescription pid process target process PID 544 set thread context of 1744 544 X[1].bin.exe X[1].bin.exe PID 436 set thread context of 1268 436 X[1].bin.exe X[1].bin.exe PID 1112 set thread context of 108 1112 X[1].bin.exe X[1].bin.exe -
Drops file in Program Files directory 9659 IoCs
Processes:
X[1].bin.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png X[1].bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\HST10 X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0293844.WMF X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSACC.OLB X[1].bin.exe File opened for modification C:\Program Files\7-Zip\Lang\sk.txt X[1].bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\ipsfin.xml X[1].bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Panama X[1].bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\bbc_co_uk.luac X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0239951.WMF X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Hardcover.thmx X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\ResourceInternal.zip X[1].bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\slideShow.js X[1].bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\203x8subpicture.png X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGSTORY.XML X[1].bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\CST6CDT X[1].bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\1033\VBLR6.CHM X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00694_.WMF X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0283209.GIF X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15272_.GIF X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\ONENOTE_COL.HXT X[1].bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\readme-warning.txt X[1].bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Ojinaga X[1].bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\readme-warning.txt X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\POWERPNT.DEV_F_COL.HXK X[1].bin.exe File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\readme-warning.txt X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\LucidaBrightDemiItalic.ttf X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\license.html X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\rtf_choosecolor.gif X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Scoresbysund X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153516.WMF X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Executive.thmx X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Response.gif X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\Accra X[1].bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\bg-dock.png X[1].bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\16to9Squareframe_VideoInset.png X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0195260.WMF X[1].bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\cs-CZ\tipresx.dll.mui X[1].bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\performance.png X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\oracle.gif X[1].bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\settings_corner_top_left.png X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\Kamchatka X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\ECLIPSE_.RSA X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\MANIFEST.MF X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00413_.WMF X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\NA02388_.WMF X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\com.jrockit.mc.rjmx.service.exsd X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-openide-awt_zh_CN.jar X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml X[1].bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\New_York X[1].bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\modern_settings.png X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14871_.GIF X[1].bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Shorthand.emf X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.JP.XML X[1].bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\dialdot_lrg.png X[1].bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\COPYRIGHT X[1].bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\San_Juan X[1].bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\vlc.mo X[1].bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\AG00021_.GIF X[1].bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 784 vssadmin.exe -
Processes:
X[1].bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 X[1].bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e X[1].bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e X[1].bin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
X[1].bin.exepid process 1744 X[1].bin.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 612 vssvc.exe Token: SeRestorePrivilege 612 vssvc.exe Token: SeAuditPrivilege 612 vssvc.exe Token: SeBackupPrivilege 1608 wbengine.exe Token: SeRestorePrivilege 1608 wbengine.exe Token: SeSecurityPrivilege 1608 wbengine.exe Token: SeIncreaseQuotaPrivilege 1636 WMIC.exe Token: SeSecurityPrivilege 1636 WMIC.exe Token: SeTakeOwnershipPrivilege 1636 WMIC.exe Token: SeLoadDriverPrivilege 1636 WMIC.exe Token: SeSystemProfilePrivilege 1636 WMIC.exe Token: SeSystemtimePrivilege 1636 WMIC.exe Token: SeProfSingleProcessPrivilege 1636 WMIC.exe Token: SeIncBasePriorityPrivilege 1636 WMIC.exe Token: SeCreatePagefilePrivilege 1636 WMIC.exe Token: SeBackupPrivilege 1636 WMIC.exe Token: SeRestorePrivilege 1636 WMIC.exe Token: SeShutdownPrivilege 1636 WMIC.exe Token: SeDebugPrivilege 1636 WMIC.exe Token: SeSystemEnvironmentPrivilege 1636 WMIC.exe Token: SeRemoteShutdownPrivilege 1636 WMIC.exe Token: SeUndockPrivilege 1636 WMIC.exe Token: SeManageVolumePrivilege 1636 WMIC.exe Token: 33 1636 WMIC.exe Token: 34 1636 WMIC.exe Token: 35 1636 WMIC.exe Token: SeIncreaseQuotaPrivilege 1636 WMIC.exe Token: SeSecurityPrivilege 1636 WMIC.exe Token: SeTakeOwnershipPrivilege 1636 WMIC.exe Token: SeLoadDriverPrivilege 1636 WMIC.exe Token: SeSystemProfilePrivilege 1636 WMIC.exe Token: SeSystemtimePrivilege 1636 WMIC.exe Token: SeProfSingleProcessPrivilege 1636 WMIC.exe Token: SeIncBasePriorityPrivilege 1636 WMIC.exe Token: SeCreatePagefilePrivilege 1636 WMIC.exe Token: SeBackupPrivilege 1636 WMIC.exe Token: SeRestorePrivilege 1636 WMIC.exe Token: SeShutdownPrivilege 1636 WMIC.exe Token: SeDebugPrivilege 1636 WMIC.exe Token: SeSystemEnvironmentPrivilege 1636 WMIC.exe Token: SeRemoteShutdownPrivilege 1636 WMIC.exe Token: SeUndockPrivilege 1636 WMIC.exe Token: SeManageVolumePrivilege 1636 WMIC.exe Token: 33 1636 WMIC.exe Token: 34 1636 WMIC.exe Token: 35 1636 WMIC.exe -
Suspicious use of WriteProcessMemory 40 IoCs
Processes:
X[1].bin.exeX[1].bin.execmd.exeX[1].bin.exeX[1].bin.exedescription pid process target process PID 544 wrote to memory of 1744 544 X[1].bin.exe X[1].bin.exe PID 544 wrote to memory of 1744 544 X[1].bin.exe X[1].bin.exe PID 544 wrote to memory of 1744 544 X[1].bin.exe X[1].bin.exe PID 544 wrote to memory of 1744 544 X[1].bin.exe X[1].bin.exe PID 544 wrote to memory of 1744 544 X[1].bin.exe X[1].bin.exe PID 544 wrote to memory of 1744 544 X[1].bin.exe X[1].bin.exe PID 544 wrote to memory of 1744 544 X[1].bin.exe X[1].bin.exe PID 544 wrote to memory of 1744 544 X[1].bin.exe X[1].bin.exe PID 544 wrote to memory of 1744 544 X[1].bin.exe X[1].bin.exe PID 1744 wrote to memory of 268 1744 X[1].bin.exe cmd.exe PID 1744 wrote to memory of 268 1744 X[1].bin.exe cmd.exe PID 1744 wrote to memory of 268 1744 X[1].bin.exe cmd.exe PID 1744 wrote to memory of 268 1744 X[1].bin.exe cmd.exe PID 268 wrote to memory of 784 268 cmd.exe vssadmin.exe PID 268 wrote to memory of 784 268 cmd.exe vssadmin.exe PID 268 wrote to memory of 784 268 cmd.exe vssadmin.exe PID 268 wrote to memory of 1928 268 cmd.exe wbadmin.exe PID 268 wrote to memory of 1928 268 cmd.exe wbadmin.exe PID 268 wrote to memory of 1928 268 cmd.exe wbadmin.exe PID 268 wrote to memory of 1636 268 cmd.exe WMIC.exe PID 268 wrote to memory of 1636 268 cmd.exe WMIC.exe PID 268 wrote to memory of 1636 268 cmd.exe WMIC.exe PID 436 wrote to memory of 1268 436 X[1].bin.exe X[1].bin.exe PID 436 wrote to memory of 1268 436 X[1].bin.exe X[1].bin.exe PID 436 wrote to memory of 1268 436 X[1].bin.exe X[1].bin.exe PID 436 wrote to memory of 1268 436 X[1].bin.exe X[1].bin.exe PID 436 wrote to memory of 1268 436 X[1].bin.exe X[1].bin.exe PID 436 wrote to memory of 1268 436 X[1].bin.exe X[1].bin.exe PID 436 wrote to memory of 1268 436 X[1].bin.exe X[1].bin.exe PID 436 wrote to memory of 1268 436 X[1].bin.exe X[1].bin.exe PID 436 wrote to memory of 1268 436 X[1].bin.exe X[1].bin.exe PID 1112 wrote to memory of 108 1112 X[1].bin.exe X[1].bin.exe PID 1112 wrote to memory of 108 1112 X[1].bin.exe X[1].bin.exe PID 1112 wrote to memory of 108 1112 X[1].bin.exe X[1].bin.exe PID 1112 wrote to memory of 108 1112 X[1].bin.exe X[1].bin.exe PID 1112 wrote to memory of 108 1112 X[1].bin.exe X[1].bin.exe PID 1112 wrote to memory of 108 1112 X[1].bin.exe X[1].bin.exe PID 1112 wrote to memory of 108 1112 X[1].bin.exe X[1].bin.exe PID 1112 wrote to memory of 108 1112 X[1].bin.exe X[1].bin.exe PID 1112 wrote to memory of 108 1112 X[1].bin.exe X[1].bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe"C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe"{path}"2⤵
- Modifies extensions of user files
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe"C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe" n17443⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe"{path}"4⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe"C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe" n17443⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\X[1].bin.exe"{path}"4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/108-35-0x0000000000405790-mapping.dmp
-
memory/268-11-0x0000000000000000-mapping.dmp
-
memory/436-18-0x0000000007230000-0x0000000007231000-memory.dmpFilesize
4KB
-
memory/436-13-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/436-12-0x0000000074950000-0x000000007503E000-memory.dmpFilesize
6MB
-
memory/544-7-0x00000000006D0000-0x000000000072C000-memory.dmpFilesize
368KB
-
memory/544-2-0x00000000749D0000-0x00000000750BE000-memory.dmpFilesize
6MB
-
memory/544-6-0x0000000000300000-0x000000000030E000-memory.dmpFilesize
56KB
-
memory/544-5-0x00000000049C0000-0x00000000049C1000-memory.dmpFilesize
4KB
-
memory/544-3-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/784-15-0x0000000000000000-mapping.dmp
-
memory/1112-31-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/1112-29-0x0000000001010000-0x0000000001011000-memory.dmpFilesize
4KB
-
memory/1112-28-0x00000000737A0000-0x0000000073E8E000-memory.dmpFilesize
6MB
-
memory/1268-24-0x0000000000405790-mapping.dmp
-
memory/1636-27-0x000007FEF6790000-0x000007FEF6A0A000-memory.dmpFilesize
2MB
-
memory/1636-21-0x0000000000000000-mapping.dmp
-
memory/1744-8-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1744-17-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/1744-10-0x0000000076881000-0x0000000076883000-memory.dmpFilesize
8KB
-
memory/1744-9-0x0000000000405790-mapping.dmp
-
memory/1928-20-0x000007FEFC2B1000-0x000007FEFC2B3000-memory.dmpFilesize
8KB
-
memory/1928-19-0x0000000000000000-mapping.dmp